https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/47931#M9353 <P>Hello,</P><P>I am looking to see if anyone has any suggestions/ideas on best ways for HTTPS web traffic etc.</P><P>At present I have a Cisco Proxy Appliance used for web traffic (on the inside of the Firewall) and I decrypt web traffic here.&nbsp; The Cisco Proxy Appliance can then allow/block the relevant traffic.</P><P>From the Check Point, I want to use this in a basic form to do additional blocking that the Cisco Proxy Appliance is unable to do ie block Dropbox/One Drive, Yahoo Messenger, etc) but at present this is not working fully as I don't have HTTPS Inspection enabled.</P><P>I am looking for any suggestions/ideas if anyone else has the same type of setup?</P><P>Ways I could do this at the moment would be:</P><P>1 - decrypt Cisco Proxy Appliance traffic and leave Firewall as is (Cisco could identify all traffic but Firewall wouldn't)</P><P>2 - no decrypt on Cisco Proxy Appliance and decrypt all traffic at Firewall&nbsp;(Cisco couldn't identify all traffic but Firewall could)</P><P>3 - decrypt Cisco Proxy Appliance traffic and decrypt Firewall traffic&nbsp;(Cisco and Firewall could&nbsp;identify all traffic however this may have performance impact)</P><P>Thanks</P> Wed, 20 Mar 2019 11:20:47 GMT NeilDavey 2019-03-20T11:20:47Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/47931#M9353 <P>Hello,</P><P>I am looking to see if anyone has any suggestions/ideas on best ways for HTTPS web traffic etc.</P><P>At present I have a Cisco Proxy Appliance used for web traffic (on the inside of the Firewall) and I decrypt web traffic here.&nbsp; The Cisco Proxy Appliance can then allow/block the relevant traffic.</P><P>From the Check Point, I want to use this in a basic form to do additional blocking that the Cisco Proxy Appliance is unable to do ie block Dropbox/One Drive, Yahoo Messenger, etc) but at present this is not working fully as I don't have HTTPS Inspection enabled.</P><P>I am looking for any suggestions/ideas if anyone else has the same type of setup?</P><P>Ways I could do this at the moment would be:</P><P>1 - decrypt Cisco Proxy Appliance traffic and leave Firewall as is (Cisco could identify all traffic but Firewall wouldn't)</P><P>2 - no decrypt on Cisco Proxy Appliance and decrypt all traffic at Firewall&nbsp;(Cisco couldn't identify all traffic but Firewall could)</P><P>3 - decrypt Cisco Proxy Appliance traffic and decrypt Firewall traffic&nbsp;(Cisco and Firewall could&nbsp;identify all traffic however this may have performance impact)</P><P>Thanks</P> Wed, 20 Mar 2019 11:20:47 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/47931#M9353 NeilDavey 2019-03-20T11:20:47Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48164#M9400 Why are you maintaining two seperate security solutions? Thu, 21 Mar 2019 18:28:24 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48164#M9400 PhoneBoy 2019-03-21T18:28:24Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48173#M9402 <P>I do not think that pairing your Cisco appliance with Check Point gateway is the optimal solution.</P> <P>I'd have all traffic decrypted analyzed and blocked or allowed by Check Point.</P> <P>"One to many" dedicated SSL decryptors/re-encryptors are a different story, but we are talking about IXIA, Gigamon, F5 or Symantec SSL in these cases.</P> Thu, 21 Mar 2019 20:48:20 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48173#M9402 Vladimir 2019-03-21T20:48:20Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48369#M9444 The Cisco Proxy Appliance is our corporate standard product for Web Filtering and the reporting is also very detailed. I have in the past tried to use the Check Point URL/App Control for filtering but had issues where some sites would be allowed which I would not want and vice versa. I also am unsure why Check Point categorize websites as multiple categories (example, <A href="http://www.playboy.com" target="_blank">www.playboy.com</A> Categories: Sex, Nudity, Entertainment). This was causing issues in creating a base policy for users which didn't work for us.<BR /><BR />I was just seeing if anyone else had a main filtering product but also used the Check Point for more granular filtering. Sat, 23 Mar 2019 09:20:40 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Decryption/m-p/48369#M9444 NeilDavey 2019-03-23T09:20:40Z